Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #3078 -- newforms: Added HTML escaping to label_tag() calls. Th…

…anks, SmileyChris

git-svn-id: http://code.djangoproject.com/svn/django/trunk@4133 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 4db61fb406afb8447fb8dfe4808ccb426b824064 1 parent 8aae90c
@adrianholovaty adrianholovaty authored
Showing with 2 additions and 2 deletions.
  1. +2 −2 django/newforms/forms.py
View
4 django/newforms/forms.py
@@ -82,7 +82,7 @@ def as_table(self):
bf = BoundField(self, field, name)
if bf.errors:
output.append(u'<tr><td colspan="2">%s</td></tr>' % bf.errors)
- output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(bf.verbose_name+':'), bf))
+ output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(escape(bf.verbose_name+':')), bf))
return u'\n'.join(output)
def as_ul(self):
@@ -96,7 +96,7 @@ def as_ul(self):
line = u'<li>'
if bf.errors:
line += str(bf.errors)
- line += u'%s %s</li>' % (bf.label_tag(bf.verbose_name+':'), bf)
+ line += u'%s %s</li>' % (bf.label_tag(escape(bf.verbose_name+':')), bf)
output.append(line)
return u'\n'.join(output)
Please sign in to comment.
Something went wrong with that request. Please try again.